Despite information security figuring in the defence and national security consciousness since well before the end of the Cold War, we remain in the early days of cyber.
For some years after September 2001, when concerns over cyber were overtaken as a national security priority by terrorism, cyber tended to be seen a secondary concern, most worrying when it merged with other threats like cyberterrorism.
That seemed a fair conclusion. Terrorism is a tool of the weak. Cyber is similar—an attack can be launched with little more than a laptop and an internet connection.
And there is indeed a thriving criminal industry comprising individuals, loosely affiliated networks and more established gangs, trading in exploits, malware and stolen data. Ransomware, with its prospect of fast and easy financial return, is a major incentive in a hypercompetitive criminal cyber industry.
The motives that drive criminal elements, however, differ from those of nation-states in cyberspace.
Cyber has become a valuable tool in the larger armoury of governments. Nation-states compete for access and influence in cyberspace. Some governments focus on their own people and political rivals. More generally, cyber is one element of grey-zone activity, or hybrid warfare.
For example, cyber offers both material and a means by which Russia can undertake its long practice in influence and disinformation operations, maskirovka. China has used cyber operations to steal valuable intellectual property, fuelling its own technological competitiveness and economic growth. North Korea uses its cyber capability for financial gain, to fund its nuclear program and to evade sanctions.
By its nature, cyber activity and effect can be hard to discern. It is the dark side of digital: the same technology and systems that generate new business models, greater efficiencies and increased capability, connectedness and capacity inherently carry vulnerabilities, misconfigurations and points of access that can be exploited by an adversary.
But even as governments find cyber useful as a tool and appreciate its potential threat, the usual policies and traditional frameworks of national security have difficulty gaining traction in cyber, because of the nature of the domain.
The operating environment for cyber is vast and everchanging. Policymakers can’t conceive of their strategic objectives or plan for specific outcomes in cyber as they can for land, sea, air or even space. In those domains, technology is built to operate in, on or through physical terrain.
In cyber, the technology is the terrain. Changing the technology—the logical structure, content and connections of systems and applications—alters the terrain. And that occurs every instant, creating or closing opportunities, threats and means of action within that domain.
Yet cyber isn’t free of the physical world. It is tethered in data centres, fibre networks and sensors. It is shaped by the dependencies inherent in supply chains.
Cyber is also embedded in the social world: human interaction with technology—the access and use of systems, applications, devices and data—adds further complexity and dynamism.
The combinatorial complexity of technology, the physical world, and social purpose and interaction generates, for all intents, an infinite space of possibility. Structure does matter, but attackers don’t want for opportunities.
Because change is constant, opportunities, and the advantages they may confer if exploited, are fleeting. That fundamentally alters the calculus of risk, cost, benefit, resourcing and outcome.
In the cyber domain, nation-states have little understanding of or control over their own assets and vulnerable threat surface. Governments must deal with considerable tech debt, accumulated since information and communications technologies became commonplace as business tools and control systems, more than 60 years ago.
Legacy ICT includes infrastructure and applications that remain in organisations but are no longer supported by vendors and often neglected. Some legacy systems run operations, industrial systems and critical equipment. Such systems are often bespoke, written without security in mind and unable to be patched.
Then there is shadow ICT, which lies outside official channels and awareness—the server under the desk, the software-as-a-service purchased with a corporate or personal credit card, the ‘free’ use of online storage.
The stock of large and growing amounts of legacy, operational and shadow ICT is a product of a fast-moving, easily accessible, affordable digital environment. But it means that ‘official’ ICT, even within government organisations, captures a comparatively small area of the overall vulnerable threat surface of systems, operations and data.
And with few exceptions, a nation-state’s information technology base is not designed, developed, maintained or controlled by governments, but by private industry, obscuring further its scale, scope, vulnerabilities and opportunities.
There’s no single government body that has a good understanding of what needs defending—or what assets the government has at its disposal—except possibly in the abstract.
That’s unlike other domains of power, where military, diplomatic and intelligence assets, including the physical borders of a country, are carefully accounted. Changes in those assets are often slow; they are rarely ephemeral, or intangible, in the way that a cyber advantage or tool may be.
The strategic logic of operating in this environment continues to evolve. Strategies—and the ways of thinking, planning and controlling activity—in the conventional domain are likely to be ill-suited to the cyber domain. If applied without understanding or care, they could even prove detrimental to the interests of a nation and its citizens.
New strategies, norms, ways of operating, systems of governance and policies are needed to at least complement, if not replace, conventional frameworks when dealing with the cyber domain.
And a strategic approach based on anticipation, speed and transience in an intangible environment that transcends physical boundaries presents significant challenges to existing norms and institutions. Those include many at the heart of liberal democratic governance and society: evidence-based decision-making, the means of civilian control, the process expected through law, notions of sovereignty, the accountability demanded of democratic institutions, the responsibilities of the private sector, the freedoms of civil society, and the engagement due allies and partners.
Working through all these means that we’re in only the early days of cyber.
So far, governments have focused on the practicalities of interests, threats and operating in the cyber environment. While such difficulties shouldn’t be underestimated, it’s not enough to focus on those alone. Careful thought needs to be given to governance, policy, statecraft and strategy if the challenges of a very different domain of security, one that intrudes into every facet of daily life, are to be managed effectively.